이 PowerShell 스크립트 예제는 필요한 기간 이후 만료되는 모든 앱 등록의 비밀 및 인증서를 내보냅니다. 디렉터리에서 지정된 앱에 대해 이 작업을 수행합니다. 스크립트는 비대화형으로 실행됩니다. 출력은 CSV 파일에 저장됩니다.
Azure를 구독하고 있지 않다면 시작하기 전에 Azure 체험 계정을 만듭니다.
샘플 스크립트
<#################################################################################
DISCLAIMER:
This is not an official PowerShell Script. We designed it specifically for the situation you have
encountered right now.
Please do not modify or change any preset parameters.
Please note that we will not be able to support the script if it's changed or altered in any way
or used in a different situation for other means.
This code-sample is provided "AS IS" without warranty of any kind, either expressed or implied,
including but not limited to the implied warranties of merchantability and/or fitness for a
particular purpose.
This sample is not supported under any Microsoft standard support program or service.
Microsoft further disclaims all implied warranties including, without limitation, any implied
warranties of merchantability or of fitness for a particular purpose.
The entire risk arising out of the use or performance of the sample and documentation remains with
you.
In no event shall Microsoft, its authors, or anyone else involved in the creation, production, or
delivery of the script be liable for any damages whatsoever (including, without limitation, damages
for loss of business profits, business interruption, loss of business information, or other
pecuniary loss) arising out of the use of or inability to use the sample or documentation, even if
Microsoft has been advised of the possibility of such damages.
#################################################################################>
$loginURL = 'https://login.microsoftonline.com'
$resource = 'https://graph.microsoft.com'
#PARAMETERS TO CHANGE
$ClientID = 'App ID'
$ClientSecret = 'APP Secret'
$TenantName = 'TENANT.onmicrosoft.com'
$Months = 'Number of months'
$Path = 'add a path here\File.csv'
###################################################################
#Repeating Function to get an Access Token based on the parameters:
function Get-RefreshedToken($LoginURL, $ClientID, $ClientSecret, $TenantName) {
$RequestParameters = @{
Method = 'POST'
Uri = "$LoginURL/$TenantName/oauth2/v2.0/token"
Body = @{
grant_type = 'client_credentials'
client_id = $ClientID
client_secret = $ClientSecret
scope = 'https://graph.microsoft.com/.default'
}
}
Invoke-RestMethod @RequestParameters
}
#BUILD THE ACCESS TOKEN
$RefreshParameters = @{
LoginURL = $loginURL
ClientID = $ClientID
ClientSecret = $ClientSecret
TenantName = $TenantName
}
$OAuth = Get-RefreshedToken @RefreshParameters
$Identity = $OAuth.access_token
##############################################
$HeaderParams = @{
'Authorization' = "$($OAuth.token_type) $($Identity)"
}
$AppsSecrets = 'https://graph.microsoft.com/v1.0/applications'
$ApplicationsList = Invoke-WebRequest -Headers $HeaderParams -Uri $AppsSecrets -Method GET
$Logs = @()
$NextCounter = 0
do {
$ApplicationEvents = $ApplicationsList.Content |
ConvertFrom-Json |
Select-Object -ExpandProperty value
foreach ($ApplicationEvent in $ApplicationEvents) {
$IDs = $ApplicationEvent.id
$AppName = $ApplicationEvent.displayName
$AppID = $ApplicationEvent.appId
$Secrets = $ApplicationEvent.passwordCredentials
$NextCounter++
foreach ($Secret in $Secrets) {
$StartDate = $Secret.startDateTime
$EndDate = $Secret.endDateTime
$pos = $StartDate.IndexOf('T')
$LeftPart = $StartDate.Substring(0, $pos)
$Position = $EndDate.IndexOf('T')
$LeftPartEnd = $EndDate.Substring(0, $pos)
$DateStringStart = [Datetime]::ParseExact($LeftPart, 'yyyy-MM-dd', $null)
$DateStringEnd = [Datetime]::ParseExact($LeftPartEnd, 'yyyy-MM-dd', $null)
$OptimalDate = $DateStringStart.AddMonths($Months)
if ($OptimalDate -lt $DateStringEnd) {
$Log = [PSCustomObject]@{
'Application' = $AppName
'AppID' = $AppID
'Secret Start Date' = $DateStringStart
'Secret End Date' = $DateStringEnd
}
$OwnerRequestParams = @{
Headers = $HeaderParams
Uri = "https://graph.microsoft.com/v1.0/applications/$IDs/owners"
Method = 'GET'
}
$ApplicationsOwners = Invoke-WebRequest @OwnerRequestParams
$Users = $ApplicationsOwners.Content |
ConvertFrom-Json |
Select-Object -ExpandProperty value
foreach ($User in $Users) {
$Owner = $User.displayname
$Log | Add-Member -MemberType NoteProperty -Name 'AppOwner' -Value $Owner
}
$Logs += $Log
}
}
If ($NextCounter -eq 100) {
$OData = $ApplicationsList.Content | ConvertFrom-Json
$AppsSecrets = $OData.'@odata.nextLink'
try {
$ListRequestParams = @{
UseBasicParsing = $true
Headers = $HeaderParams
Uri = $AppsSecrets
Method = 'GET'
ContentType = 'application/Json'
}
$ApplicationsList = Invoke-WebRequest @ListRequestParams
} catch {
$_
}
$NextCounter = 0
Start-Sleep -Seconds 1
}
}
} while ($AppsSecrets -ne $null)
$Logs | Export-Csv $Path -NoTypeInformation -Encoding UTF8
스크립트 설명
이 스크립트는 비대화형으로 실행됩니다. 이를 사용하는 관리자는 "#PARAMETERS TO CHANGE" 섹션의 값을 변경해야 합니다. 자체 앱 ID, 애플리케이션 암호 및 테넌트 이름을 입력해야 합니다. 또한 앱의 자격 증명 만료 기간을 지정해야 합니다. 마지막으로 CSV를 내보낼 경로를 설정해야 합니다.
이 스크립트는 Client_Credential Oauth Flow "RefreshToken" 함수는 관리자가 수정한 매개 변수의 값을 기반으로 액세스 토큰을 빌드합니다.
"Add-Member" 명령은 CSV 파일에서 열을 만드는 역할을 담당합니다.
| 명령 | 노트 |
|---|---|
| Invoke-WebRequest | HTTP 및 HTTPS 요청을 웹 페이지나 웹 서비스로 보냅니다. 응답을 구문 분석하고 링크, 이미지 및 기타 중요한 HTML 요소 컬렉션을 반환합니다. |
다음 단계
Microsoft Graph PowerShell 모듈에 대한 자세한 내용은 microsoft Graph PowerShell 개요
애플리케이션 관리에 대한 다른 PowerShell 예제는 애플리케이션 관리대한 Microsoft Graph PowerShell 예제